PAN-OS

Set a URL admin override password.
Select
Device
Setup
Content ID
.
In the
URL Admin Override
section, click
Add
.
In the
Location
field, select the virtual system to which this password applies.
Enter a
Password
, then enter it again to
Confirm Password
.
Select an
SSL/TLS Service Profile
.
SSL/TLS service profiles specify the certificate that the firewall presents to the user if the site with the override is an HTTPS site.
Select a
Mode
for prompting user for the password:
Transparent
—The password prompt appears to originate from the original destination URL. The firewall intercepts the browser traffic destined for sites in a URL category set to override and issues an HTTP 302 to prompt for the password, which applies on a per-vsys level.
The client browser will display certificate errors if it does not trust the certificate.
Redirect
—The password prompt appears from an
Address
(IP address or DNS hostname) that you specify. The firewall intercepts HTTP or HTTPS traffic to a URL category set to override and uses an HTTP 302 redirect to send the request to a Layer 3 interface on the firewall.
Click
OK
.
(
Optional
) Set the duration of override access and password lockouts.
By default, users can access websites in categories for which they have successfully entered an override password for 15 minutes. After the default or custom interval passes, users must re-enter the password.
By default, users are blocked for 30 minutes after three failed password attempts. After the user is locked out for the default or custom duration, they can try to access the websites again.
Edit the URL Filtering section.
For
URL Admin Override Timeout
, enter a value (in minutes) from 1 to 86,400. ---By default, users can access sites within the category for 15 minutes without re-entering the password.
For
URL Admin Lockout Timeout
, enter a value (in minutes) from 1 to 86,400.
Click
OK
.
(
Redirect mode only
) Create a Layer 3 interface to which to redirect web requests to sites in a category configured for override.
Create a management profile to enable the interface to display the URL Filtering Continue and Override Page response page:
Select
Network
Interface Mgmt
and click
Add
.
Enter a
Name
for the profile, select
Response Pages
, and then click
OK
.
Create the Layer 3 interface. Be sure to attach the management profile you just created (on the
Advanced
Other Info
tab of the Ethernet Interface dialog).
(
Redirect mode only
) To transparently redirect users without displaying certificate errors, install a certificate that matches the IP address of the interface to which you are redirecting web requests to a site in a URL category configured for override.You can either generate a self-signed certificate or import a certificate that is signed by an external CA.
To use a self-signed certificate, you must first create a root CA certificate and then use that CA to sign the certificate you will use for URL admin override as follows:
To create a root CA certificate, select
Device
Certificate Management
Certificates
Device Certificates
and then click
Generate
. Enter a
Certificate Name
, such as RootCA. Do not select a value in the
Signed By
field (this is what indicates that it is self-signed). Make sure you select the
Certificate Authority
check box and then click
Generate
the certificate.
To create the certificate to use for URL admin override, click
Generate
. Enter a
Certificate Name
and enter the DNS hostname or IP address of the interface as the
Common Name
. In the
Signed By
field, select the CA you created in the previous step. Add an IP address attribute and specify the IP address of the Layer 3 interface to which you will be redirecting web requests to URL categories that have the override action.
Generate
the certificate.
To configure clients to trust the certificate, select the CA certificate on the
Device Certificates
tab and click
Export
. You must then import the certificate as a trusted root CA into all client browsers, either by manually configuring the browser or by adding the certificate to the trusted roots in an Active Directory Group Policy Object (GPO).
Specify which URL categories require an override password to enable access.
Select
Objects
URL Filtering
and either select an existing URL Filtering profile or
Add
a new one.
On the
Categories
tab, set the Action to
override
for each category that requires a password.
Complete any remaining sections on the URL Filtering profile and then click
OK
to save the profile.
Apply the URL Filtering profile to the Security policy rule(s) that allows access to the sites requiring password override for access.
Select
Policies
Security
and select the appropriate Security policy to modify it.
Select the
Actions
tab and in the
Profile Setting
section, click the drop-down for
URL Filtering
and select the profile.
Click
OK
to save.
Commit
the configuration.